draft-ietf-dane-protocol-04.txt   draft-ietf-dane-protocol-05.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: August 14, 2011 Kirei AB Expires: August 27, 2011 Kirei AB
February 10, 2011 February 23, 2011
Using Secure DNS to Associate Certificates with Domain Names For TLS Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-04 draft-ietf-dane-protocol-05
Abstract Abstract
TLS and DTLS use certificates for authenticating the server. Users TLS and DTLS use certificates for authenticating the server. Users
want their applications to verify that the certificate provided by want their applications to verify that the certificate provided by
the TLS server is in fact associated with the domain name they the TLS server is in fact associated with the domain name they
expect. Instead of trusting a certification authority to have made expect. DNSSEC provides a mechanism for a zone operator to sign DNS
this association correctly, the user might instead trust the information directly. This way, bindings of keys to domains are
authoritative DNS server for the domain name to make that asserted not by external entities, but by the entities that operate
association. This document describes how to use secure DNS to the DNS. This document describes how to use secure DNS to associate
associate the TLS server's certificate with the the intended domain the TLS server's certificate with the the intended domain name.
name.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 14, 2011. This Internet-Draft will expire on August 27, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 26
2.1. Requested Domain Name . . . . . . . . . . . . . . . . . . 5 2.1. Requested Domain Name . . . . . . . . . . . . . . . . . . 5
2.2. Format of the Resource Record . . . . . . . . . . . . . . 5 2.2. Format of the Resource Record . . . . . . . . . . . . . . 5
2.3. Making Certificate Associations . . . . . . . . . . . . . 6 2.3. Making Certificate Associations . . . . . . . . . . . . . 6
2.4. Presentation Format . . . . . . . . . . . . . . . . . . . 7 2.4. Presentation Format . . . . . . . . . . . . . . . . . . . 7
2.5. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 7 2.5. Wire Format . . . . . . . . . . . . . . . . . . . . . . . 7
3. Use of TLS Certificate Associations in TLS . . . . . . . . . . 8 3. Use of TLS Certificate Associations in TLS . . . . . . . . . . 8
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
4.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 9
4.2. TLSA Certificate Types . . . . . . . . . . . . . . . . . . 9 4.2. TLSA Certificate Types . . . . . . . . . . . . . . . . . . 9
4.3. TLSA Hash Types . . . . . . . . . . . . . . . . . . . . . 9 4.3. TLSA Hash Types . . . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The first response from the server in TLS may contain a certificate. The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the server. Currently, the client must extract the domain name from the
certificate, must trust a trust anchor upon which the server's certificate, must trust a trust anchor upon which the server's
certificate is rooted, and must successfully validate the certificate is rooted, and must successfully validate the
skipping to change at page 5, line 47 skipping to change at page 5, line 47
The format of the data in the resource record is a binary record with The format of the data in the resource record is a binary record with
three values, which MUST be in the order defined here: three values, which MUST be in the order defined here:
o A one-octet value, called "certificate type", specifying the o A one-octet value, called "certificate type", specifying the
provided association that will be used to match the target provided association that will be used to match the target
certificate. This will be an IANA registry in order to make it certificate. This will be an IANA registry in order to make it
easier to add additional certificate types in the future. The easier to add additional certificate types in the future. The
types defined in this document are: types defined in this document are:
1 -- Hash of an end-entity certificate 1 -- An end-entity certificate in DER encoding
2 -- Full end-entity certificate in DER encoding 2 -- A certification authority's certificate in DER encoding
3 -- Hash of an certification authority's certificate o A one-octet value, called "reference type", specifying how the
4 -- Full certification authority's certificate in DER encoding certificate association is presented. This value is defined in a
new IANA registry. The types defined in this document are:
o A one-octet value, called "hash type", specifying the type of hash 0 -- Full certificate
algorithm used for the certificate association. This value is
defined in a new IANA registry. When no hashing is used (that is, 1 -- SHA-1 hash of the certificate
in the certificate types where the full certificate is given), the
hash type MUST be 0. Using the same hash algorithm as is used in 2 -- SHA-256 hash of the certificate
the signature in the certificate will make it more likely that the
TLS client will understand this TLSA data. 3 -- SHA-384 hash of the certificate
Using the same hash algorithm as is used in the signature in the
certificate will make it more likely that the TLS client will
understand this TLSA data.
o The "certificate for association". This is the bytes containing o The "certificate for association". This is the bytes containing
the certificate or the hash of the associated certificate (that the full certificate or the hash of the associated certificate
is, the certificate or the hash of the certificate itself, not of (that is, the certificate or the hash of the certificate itself,
the TLS ASN.1Cert object). not of the TLS ASN.1Cert object).
Certificate types 1 through 4 explicitly only apply to PKIX-formatted Certificate types 1 and 2 explicitly only apply to PKIX-formatted
certificates. If TLS allows other formats later, or if extensions to certificates. If TLS allows other formats later, or if extensions to
this protocol are made that accept other formats for certificates, this protocol are made that accept other formats for certificates,
those certificates will need certificate types. those certificates will need certificate types.
2.3. Making Certificate Associations 2.3. Making Certificate Associations
A TLS client conforming to this protocol MUST treat the certificate A TLS client conforming to this protocol MUST treat the certificate
for association in a TLSA resource record for a domain name as a for association in a TLSA resource record for a domain name as a
trust anchor for that domain name at the specific port number and trust anchor for that domain name at the specific port number and
transport name that was queried. This trust anchor MUST only be used transport name that was queried. This trust anchor MUST only be used
for the domain name of the resource record. The trust anchor MUST for the domain name of the resource record. The trust anchor MUST
NOT be loaded for longer than the TTL on the TSLA record. NOT be loaded for longer than the TTL on the TSLA record.
The TLS client determines whether or not the certificate offered by The TLS client determines whether or not the certificate offered by
the TLS server matches the trust anchor received in the TLSA resource the TLS server matches the trust anchor received in the TLSA resource
record. If the certificate from the TLS server matches, the TLS record. If the certificate from the TLS server matches, the TLS
client accepts the certificate association. Each certificate type client accepts the certificate association. Each certificate type
has a different method for determining matching. has a different method for determining matching.
For types 1 and 3, the hash used in the comparison is the hash type Certificate type 1 (end-entity certificate) is matched against the
from the TLSA data. first certificate offered by the TLS server. The certificate for
association is used only for exact matching, not for chained
Types 1 (hash of an end-entity certificate) and 2 (full end-entity validation. With reference type 0, the certificate association is
certificate) are matched against the first certificate offered by the valid if the certificate in the TLSA data matches to the first
TLS server. With these two types, the trust anchor is used only for certificate offered by TLS. With reference types other than 0, the
exact matching, not for chained validation. For type 1, the
certificate association is valid if the hash of the first certificate certificate association is valid if the hash of the first certificate
offered by the TLS server matches the value from the resource record. offered by the TLS server matches the value from the TLSA data.
For type 2, the certificate association is valid if the certificate
in the TLSA data matches to the first certificate offered by TLS.
Type 3 (hash of certification authority's certificate) can be used in
one of two ways. If the hash of any certificate past the first in
the certificate bundle from TLS matches the trust anchor from the
TLSA data, and the chain in the certificate bundle is valid up to
that TLSA trust anchor, then the certificate association is valid.
Alternately, if the first certificate offered chains to an existing
trust anchor in the TLS client's trust anchor repositor, and the hash
of that trust anchor matches the value from the TLSA data, then the
certificate association is valid.
Type 4 (full certification authority's certificate) is used in Certificate type 2 (certification authority's certificate) can be
chaining from the end-entity given in TLS. The certificate used in one of two ways. With reference type 0, the certificate in
association is valid if the first certificate in the certificate the TLSA resource record is used in chaining from the end-entity
bundle can be validly chained to the trust anchor from the TLSA data. given in TLS. The certificate association is valid if the first
certificate in the certificate bundle can be validly chained to the
trust anchor from the TLSA data. With reference types other than 0,
if the hash of any certificate past the first in the certificate
bundle from TLS matches the trust anchor from the TLSA data, and the
chain in the certificate bundle is valid up to that TLSA trust
anchor, then the certificate association is valid. Alternately, if
the first certificate offered chains to an existing trust anchor in
the TLS client's trust anchor repository, and the hash of that trust
anchor matches the value from the TLSA data, then the certificate
association is valid.
[[ Need discussion of self-signed certificates being CA certificates. [[ Need discussion of self-signed certificates being CA certificates.
Need to be sure that this discussion uses correct PKIX terminology Need to be sure that this discussion uses correct PKIX terminology
and is carefully explained. ]] and is carefully explained. ]]
2.4. Presentation Format 2.4. Presentation Format
The RDATA of the presentation format of the TLSA resource record The RDATA of the presentation format of the TLSA resource record
consists of two numbers (certificate and hash type) followed by the consists of two numbers (certificate and hash type) followed by the
bytes containing the certificate or the hash of the associated bytes containing the certificate or the hash of the associated
certificate itself, presented in hex. An example of a SHA-256 hash certificate itself, presented in hex. An example of a SHA-256 hash
(type 2) of an end-entity certificate (type 1) would be: (type 2) of an end-entity certificate (type 1) would be:
_443._tcp.www.example.com. IN TLSA ( _443._tcp.www.example.com. IN TLSA (
1 2 5c1502a6549c423be0a0aa9d9a16904de5ef0f5c98 1 2 5c1502a6549c423be0a0aa9d9a16904de5ef0f5c98
c735fcca79f09230aa7141 ) c735fcca79f09230aa7141 )
An example of an unhashed (type 0) CA certificate (type 4) would be: An example of an unhashed CA certificate (type 2) would be:
_443._tcp.www.example.com. IN TLSA ( _443._tcp.www.example.com. IN TLSA (
4 0 308202c5308201ada00302010202090... ) 2 0 308202c5308201ada00302010202090... )
Because the length of hashes and certificates can be quite long, Because the length of hashes and certificates can be quite long,
presentation format explicitly allows line breaks and white space in presentation format explicitly allows line breaks and white space in
the hex values; those characters are removed when converting to the the hex values; those characters are removed when converting to the
wire format. wire format.
2.5. Wire Format 2.5. Wire Format
The wire format is: The wire format is:
skipping to change at page 8, line 24 skipping to change at page 8, line 24
The wire format for the RDATA in the first example given above would The wire format for the RDATA in the first example given above would
be: be:
_443._tcp.www.example.com. IN TYPE65534 \# 34 ( 01025c1502a6549c42 _443._tcp.www.example.com. IN TYPE65534 \# 34 ( 01025c1502a6549c42
3be0a0aa9d9a16904de5ef0f5c98c735fcca79f09230aa7141 ) 3be0a0aa9d9a16904de5ef0f5c98c735fcca79f09230aa7141 )
The wire format for the RDATA in the second example given above would The wire format for the RDATA in the second example given above would
be: be:
_443._tcp.www.example.com. IN TYPE65534 \# 715 0400308202c5308201a... _443._tcp.www.example.com. IN TYPE65534 \# 715 0200308202c5308201a...
Note that in the preceding examples, "TYPE65534" is given as an
example. That RR Type is in the IANA "private use" range; the real
RR Type for TLSA will be issued by IANA, as described in the IANA
Considerations section below.
3. Use of TLS Certificate Associations in TLS 3. Use of TLS Certificate Associations in TLS
In order to use one or more TLS certificate associations described in In order to use one or more TLS certificate associations described in
this document obtained from the DNS, an application MUST assure that this document obtained from the DNS, an application MUST assure that
the certificates were obtained using DNS protected by DNSSEC. TLSA the certificates were obtained using DNS protected by DNSSEC. TLSA
records must only be trusted if they were obtained from a trusted records must only be trusted if they were obtained from a trusted
source. This could be a localhost DNS resolver answer with the AD source. This could be a localhost DNS resolver answer with the AD
bit set, an inline validating resolver library primed with the proper bit set, an inline validating resolver library primed with the proper
trust anchors, or obtained from a remote nameserver to which one has trust anchors, or obtained from a remote nameserver to which one has
skipping to change at page 8, line 48 skipping to change at page 9, line 5
understood by the TLS client, that certificate association MUST be understood by the TLS client, that certificate association MUST be
marked as unusable. marked as unusable.
An application that requests TLS certificate associations using the An application that requests TLS certificate associations using the
method described in this document obtains zero or more usable method described in this document obtains zero or more usable
certificate associations. If the application receives zero usable certificate associations. If the application receives zero usable
certificate associations, it processes TLS in the normal fashion. certificate associations, it processes TLS in the normal fashion.
If a match between one of the certificate association(s) and the If a match between one of the certificate association(s) and the
server's end entity certificate in TLS is found, the TLS client server's end entity certificate in TLS is found, the TLS client
continues the TLS handshake. If a match between the certificate continues the TLS handshake. If no match between the usable
association(s) and the server's end entity certificate in TLS is not certificate association(s) and the server's end entity certificate in
found, the TLS client MUST abort the handshake with an TLS is found, the TLS client MUST abort the handshake with an
"access_denied" error. "access_denied" error.
4. IANA Considerations 4. IANA Considerations
4.1. TLSA RRtype 4.1. TLSA RRtype
This document uses a new DNS RRType, TLSA, whose value is TBD. A This document uses a new DNS RRType, TLSA, whose value is TBD. A
separate request for the RRType will be submitted to the expert separate request for the RRType will be submitted to the expert
reviewer, and future versions of this document will have that value reviewer, and future versions of this document will have that value
instead of TBD. instead of TBD.
4.2. TLSA Certificate Types 4.2. TLSA Certificate Types
This document creates a new registry, "Certificate Types for TLSA This document creates a new registry, "Certificate Types for TLSA
Resource Records". The registry policy is "RFC Required". The Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Ref. Value Short description Ref.
------------------------------------------------------------- -------------------------------------------------------------
0 Reserved [This] 0 Reserved [This]
1 Hash of an end-entity cert [This] 1 End-entity certificate [This]
2 Full end-entity cert in DER encoding [This] 2 CA's certificate [This]
3 Hash of an CA's cert [This] 3-254 Unassigned
4 Full CA's cert in DER encoding [This] 255 Private use
5-254 Unassigned
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
4.3. TLSA Hash Types 4.3. TLSA Hash Types
This document creates a new registry, "Hash Types for TLSA Resource This document creates a new registry, "Hash Types for TLSA Resource
Records". The registry policy is "Specification Required". The Records". The registry policy is "Specification Required". The
initial entries in the registry are: initial entries in the registry are:
Value Short description Ref. Value Short description Ref.
----------------------------------------------------- -----------------------------------------------------
0 No hash used [This] 0 No hash used [This]
1 SHA-1 NIST FIPS 180-2 1 SHA-1 NIST FIPS 180-2
2 SHA-256 NIST FIPS 180-2 2 SHA-256 NIST FIPS 180-2
3 SHA-384 NIST FIPS 180-2 3 SHA-384 NIST FIPS 180-2
4-254 Unassigned 4-254 Unassigned
255 Private use
Applications to the registry can request specific values that have Applications to the registry can request specific values that have
yet to be assigned. yet to be assigned.
5. Security Considerations 5. Security Considerations
The security of the protocols described in this document relies on The security of the protocols described in this document relies on
the security of DNSSEC as used by the client requesting A and TLSA the security of DNSSEC as used by the client requesting A/AAAA and
records. TLSA records.
A DNS administrator who goes rogue and changes both the A and TLSA A DNS administrator who goes rogue and changes both the A/AAAA and
records for a domain name can cause the user to go to an unauthorized TLSA records for a domain name can cause the user to go to an
server that will appear authorized, unless the client performs unauthorized server that will appear authorized, unless the client
certificate validation and rejects the certificate. That performs certificate validation and rejects the certificate. That
administrator could probably get a certificate issued anyway, so this administrator could probably get a certificate issued anyway, so this
is not an additional threat. is not an additional threat.
The values in the TLSA data will be normally entered in the DNS The values in the TLSA data will be normally entered in the DNS
through the same system used to enter A/AAAA records, and other DNS through the same system used to enter A/AAAA records, and other DNS
information for the host name. If the authentication for changes to information for the host name. If the authentication for changes to
the host information is weak, an attacker can easily change any of the host information is weak, an attacker can easily change any of
this information. Given that the TLSA data is not easily human- this information. Given that the TLSA data is not easily human-
readable, an attacker might change those records and A/AAAA records readable, an attacker might change those records and A/AAAA records
and not have the change be noticed if changes to a zone are only and not have the change be noticed if changes to a zone are only
monitored visually. monitored visually.
If the authentication mechanism for adding or changing TLSA data in a If the authentication mechanism for adding or changing TLSA data in a
zone is weaker than the authentication mechanism for changing the zone is weaker than the authentication mechanism for changing the
A/AAAA records, a man-in-the-middle who can redirect traffic to their A/AAAA records, a man-in-the-middle who can redirect traffic to their
site may be able to impersonate the attacked host in TLS if they can site may be able to impersonate the attacked host in TLS if they can
use the weaker authentication mechanism. A better design for use the weaker authentication mechanism. A better design for
authenticating DNS would be to have the same level of authentication authenticating DNS would be to have the same level of authentication
used for all DNS additions and changes for a particular host. used for all DNS additions and changes for a particular host.
[[ Add discussion of the idea that TLSA makes things worse if an SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
intermediate CA is compromised. Need more from Stephen Farrell. ]] In these scenarios, the clients add a new trust anchor whose private
key is kept on the SSL proxy; the proxy intercepts TLS requests,
creates a new TLS session with the intended host, and sets up a TLS
session with the client using a certificate that chains to the trust
anchor installed in the client by the proxy. In such environments,
the TLSA protocol will prevent the SSL proxy from functioning as
expected because the TLS client will get a certificate association
from the DNS that will not match the certificate that the SSL proxy
uses with the client. The client, seeing the proxy's new certificate
for the supposed destination will not set up a TLS session.
6. Acknowledgements 6. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges, ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley,
Ilari Liusvaara, and Ondrej Sury. Ilari Liusvaara, Scott Schmit, and Ondrej Sury.
7. References 7. References
7.1. Normative References 7.1. Normative References
[4347bis] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [4347bis] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security version 1.2", draft-ietf-tls-rfc4347-bis (work in Security version 1.2", draft-ietf-tls-rfc4347-bis (work in
progress), July 2010. progress), July 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 25 change blocks. 
75 lines changed or deleted 89 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/